From: Kevin Wolf <kwolf@redhat.com>
To: qemu-block@nongnu.org
Cc: kwolf@redhat.com, qemu-devel@nongnu.org
Subject: [Qemu-devel] [PULL 06/14] qcow: Check failure of bdrv_getlength() and bdrv_truncate()
Date: Wed, 6 Sep 2017 16:02:38 +0200 [thread overview]
Message-ID: <20170906140246.7326-7-kwolf@redhat.com> (raw)
In-Reply-To: <20170906140246.7326-1-kwolf@redhat.com>
From: Eric Blake <eblake@redhat.com>
Omitting the check for whether bdrv_getlength() and bdrv_truncate()
failed meant that it was theoretically possible to return an
incorrect offset to the caller. More likely, conditions for either
of these functions to fail would also cause one of our other calls
(such as bdrv_pread() or bdrv_pwrite_sync()) to also fail, but
auditing that we are safe is difficult compared to just patching
things to always forward on the error rather than ignoring it.
Use osdep.h macros instead of open-coded rounding while in the
area.
Reported-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
---
block/qcow.c | 30 ++++++++++++++++++++++--------
1 file changed, 22 insertions(+), 8 deletions(-)
diff --git a/block/qcow.c b/block/qcow.c
index d07bef6306..f450b00cfc 100644
--- a/block/qcow.c
+++ b/block/qcow.c
@@ -357,7 +357,8 @@ static int get_cluster_offset(BlockDriverState *bs,
{
BDRVQcowState *s = bs->opaque;
int min_index, i, j, l1_index, l2_index, ret;
- uint64_t l2_offset, *l2_table, cluster_offset, tmp;
+ int64_t l2_offset;
+ uint64_t *l2_table, cluster_offset, tmp;
uint32_t min_count;
int new_l2_table;
@@ -370,8 +371,11 @@ static int get_cluster_offset(BlockDriverState *bs,
return 0;
/* allocate a new l2 entry */
l2_offset = bdrv_getlength(bs->file->bs);
+ if (l2_offset < 0) {
+ return l2_offset;
+ }
/* round to cluster size */
- l2_offset = (l2_offset + s->cluster_size - 1) & ~(s->cluster_size - 1);
+ l2_offset = QEMU_ALIGN_UP(l2_offset, s->cluster_size);
/* update the L1 entry */
s->l1_table[l1_index] = l2_offset;
tmp = cpu_to_be64(l2_offset);
@@ -438,8 +442,10 @@ static int get_cluster_offset(BlockDriverState *bs,
return -EIO;
}
cluster_offset = bdrv_getlength(bs->file->bs);
- cluster_offset = (cluster_offset + s->cluster_size - 1) &
- ~(s->cluster_size - 1);
+ if ((int64_t) cluster_offset < 0) {
+ return cluster_offset;
+ }
+ cluster_offset = QEMU_ALIGN_UP(cluster_offset, s->cluster_size);
/* write the cluster content */
ret = bdrv_pwrite(bs->file, cluster_offset, s->cluster_cache,
s->cluster_size);
@@ -448,12 +454,20 @@ static int get_cluster_offset(BlockDriverState *bs,
}
} else {
cluster_offset = bdrv_getlength(bs->file->bs);
+ if ((int64_t) cluster_offset < 0) {
+ return cluster_offset;
+ }
if (allocate == 1) {
/* round to cluster size */
- cluster_offset = (cluster_offset + s->cluster_size - 1) &
- ~(s->cluster_size - 1);
- bdrv_truncate(bs->file, cluster_offset + s->cluster_size,
- PREALLOC_MODE_OFF, NULL);
+ cluster_offset = QEMU_ALIGN_UP(cluster_offset, s->cluster_size);
+ if (cluster_offset + s->cluster_size > INT64_MAX) {
+ return -E2BIG;
+ }
+ ret = bdrv_truncate(bs->file, cluster_offset + s->cluster_size,
+ PREALLOC_MODE_OFF, NULL);
+ if (ret < 0) {
+ return ret;
+ }
/* if encrypted, we must initialize the cluster
content which won't be written */
if (bs->encrypted &&
--
2.13.5
next prev parent reply other threads:[~2017-09-06 14:03 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-09-06 14:02 [Qemu-devel] [PULL 00/14] Block layer patches Kevin Wolf
2017-09-06 14:02 ` [Qemu-devel] [PULL 01/14] block: pass bdrv_* methods to bs->file by default in block filters Kevin Wolf
2017-09-06 14:02 ` [Qemu-devel] [PULL 02/14] block: remove unused bdrv_media_changed Kevin Wolf
2017-09-06 14:02 ` [Qemu-devel] [PULL 03/14] block: remove bdrv_truncate callback in blkdebug Kevin Wolf
2017-09-06 14:02 ` [Qemu-devel] [PULL 04/14] block: add default implementations for bdrv_co_get_block_status() Kevin Wolf
2017-09-06 14:02 ` [Qemu-devel] [PULL 05/14] qcow: Change signature of get_cluster_offset() Kevin Wolf
2017-09-06 14:02 ` Kevin Wolf [this message]
2017-09-06 14:02 ` [Qemu-devel] [PULL 07/14] block: document semantics of bdrv_co_preadv|pwritev Kevin Wolf
2017-09-06 14:02 ` [Qemu-devel] [PULL 08/14] block: move ThrottleGroup membership to ThrottleGroupMember Kevin Wolf
2017-09-06 14:02 ` [Qemu-devel] [PULL 09/14] block: add aio_context field in ThrottleGroupMember Kevin Wolf
2017-09-06 14:02 ` [Qemu-devel] [PULL 10/14] block: tidy ThrottleGroupMember initializations Kevin Wolf
2017-09-06 14:02 ` [Qemu-devel] [PULL 11/14] block: convert ThrottleGroup to object with QOM Kevin Wolf
2017-09-06 14:02 ` [Qemu-devel] [PULL 12/14] block: add throttle block filter driver Kevin Wolf
2017-09-06 14:02 ` [Qemu-devel] [PULL 13/14] qemu-iotests: add 184 for throttle " Kevin Wolf
2017-09-06 14:02 ` [Qemu-devel] [PULL 14/14] qcow2: move qcow2_store_persistent_dirty_bitmaps() before cache flushing Kevin Wolf
2017-09-07 10:50 ` [Qemu-devel] [PULL 00/14] Block layer patches Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170906140246.7326-7-kwolf@redhat.com \
--to=kwolf@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).